Quantum Key Distribution with Blind Polarization Bases 
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We propose a new quantum key distribution scheme that uses the blind polarization basis. In 
our scheme the sender and the receiver share key information by exchanging qubits with arbitrary 
polarization angles without basis reconciliation. As only random polarizations are transmitted, our 
protocol is secure even when a key is embedded in a not-so-weak coherent-state pulse. We show its 
security against the photon number splitting attack and the impersonation attack. 
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Quantum key distribution (QKD) 0, E H, 0, E H, 
whose security is guaranteed by the laws of physics, has 
attracted widespread attention as it is ultimately secure 
and does not require computational and mathematical 
complexity unlike its classical counterparts |2j . Since the 
seminal work of a QKD protocol (BB84) by Bennett and 
Brassard 0, there have been theoretical proposals, ex- 
perimental realizations and their security proofs 
Recently, the security was proved based on entanglement 
@ for both the single-photon QKD pj and the entangled- 
state QKD 0. The continuous- variable QKD || has also 
been proved to be a promising protocol to send secret 
keys with high transmission rate. 

The QKD is one of the most promising applications of 
quantum information science and the gap between theory 
and practice has become narrower. In practical single- 
photon QKD, the source sometimes inevitably produces 
more than one photon at a time. In this case, the QKD is 
vulnerable to the photon number splitting (PNS) attack 
in which an eavesdropper (Eve) splits photons from the 
many-photon field and keeps them. Eve measures her 
photons when the bases are announced via the classical 
channel. The PNS attack is not always the best strategy, 
for example, as the photon cloning attack can sometimes 
be more powerful. The two attacks were compared in [91 . 

Recently Bostrom and Felder [10( came up with a con- 
ceptually new type of quantum secret coding, which al- 
lows information to be transmitted in a deterministic se- 
cure way, based on entanglement and two-way commu- 
nication. This direct quantum coding protocol, some- 
times called the ping-pong protocol, has been extended 
to single-photon implementation pd| and its security was 
extensively studied [l2|. 

In this Letter, we propose a new QKD scheme in which 
the basis reconciliation via a classical channel is not nec- 
essary as an advantage. In this QKD scheme, Alice 
chooses a random value of angle 9 and prepares a pho- 
ton state with the polarization of that angle. Bob also 
chooses another random value of angle <p & n d further ro- 



tates the polarization direction of the received photon 
state by <f> and then returns to Alice. Alice encodes the 
message by rotating the polarization angle by ±7r/4 af- 
ter compensating the angle by —9. Bob reads the photon 
state by measuring the polarization, after compensating 
the angle by —<fi. Alice and Bob shall choose random an- 
gles, 9 and cj>, for each transmission of qubits. This will 
be continued until the desired number of bits are created. 

The important advantages of our protocol are mani- 
fold: 1) The reconciliation of the polarization basis is 
not necessary. The strong point of our protocol is that 
the selected polarization angles 9 and 9 + (f> are not nec- 
essary to discuss with each other as Bob and Alice do 
not need to know the other's polarization basis. More- 
over, this may significantly increase the bit creation rate 
compared to the BB84 protocol and, in an ideal case, en- 
ables the direct quantum coding 13]. 2) In most other 
two-way QKD's, the receiver sends a random qubit and 
the key sender randomly decides one of the two sets of 
unitary operations on it. The unitary operation then be- 
comes the key in the two-way QKD. A problem with this 
scheme is that the key may be disclosed to an eavesdrop- 
per who sends a spy photon along with the receiver's ran- 
dom photon traveling to the sender [hll]. However, in our 
protocol, all codings are random, which makes it robust 
against such the attack. 3) Our coding may be imple- 
mented by laser pulses (the security is guaranteed even 
for relatively high- intensity laser pulses). This advantage 
is due to the fact that the polarizations are completely 
arbitrary which makes our protocol resistant to both the 
PNS attack and the attack based on two photon inter- 
ference [l^. Meanwhile, one of the practical difficulties 
of the implementation of polarization QKD is the ran- 
dom fluctuation of the polarization due to birefringence 
in the fiber. However, as Muller et al. pointed out, 
the time scale of the random fluctuations in fibers is tens 
of minutes which is long enough to enable polarization 
tracking to compensate them. The rate of errors caused 
by technical imperfections using today's technology is of 



the order of a few percent under which our protocol is 
considered to be secure • 

Protocol- The procedure for the proposed QKD is as 
follows: 

(a.l) Alice prepares a linearly polarized qubit in its ini- 
tial state \ipo) = |0), where |0) and |1) represent two 
orthogonal polarizations of the qubit, and chooses 
a random angle 0. 

(a. 2) Alice rotates the polarization of the qubit by to 
bring the state of the qubit to |?/>i) = U y (9)\ijjo) = 
cos0|O) — sm0|l), where U y {9) = cos 91 — isin9& y 
is the unitary operator which rotates the polariza- 
tion angle along the y axis and a y is the Pauli-y 
operator. Alice sends the qubit to Bob. 

(a.3) Bob chooses another random angle <j> and rotates 
the polarization of the received qubit by <j>] l^) = 
U y (4>)\ipi) =cos(0 + 0)|O)-sin(0 + </>)|l). Bob sends 
the qubit back to Alice. 

(a. 4) Alice rotates the polarization angle of the qubit 
by —0 and then encodes the message by further 
rotating the polarization angle of ±7r/4; ^3) — 

U y (±-K / A)U v (-9)\ip 2 ) ■ Alice sends the qubit to 
Bob. (Alice and Bob have predetermined that 7r/4 
is, say, "0" and -tt/4 is "1".) 

(a.5) Bob measures the polarization after rotating the 
polarization by — </>; \tp4,) = U v {— 4>)\^3) = 
U y {±n/A)\^ ). ^(+7r/4)|Vo) and U v (-v/4)\fo) 
are orthogonal to each other, which enables Bob to 
read the keys precisely. 

By repeating the above protocol k times with different 
random phases, Alice and Bob share k bits of informa- 
tion. In order to verify the integrity of the shared key, 
the convention is to use a public channel to reveal some 
part of key bits [HHH- That kind of verification method 
has two weak points. 1) It usually degrades the efficiency 
of the key distribution. 2) It does not guarantee the in- 
tegrity of the remaining key bits. In order to overcome 
those problems, wc shall use the one-way hash function 
[l7j for checking the integrity of the shared key bits. 

(a. 6) Alice announces the one-way hash function H via a 
classical channel. Alice and Bob evaluate the hash 
values, h a = H(k a ) and hb — H(k ) respectively, 
where k a and k are shared keys in Alice and Bob. 
If h a = h , they keep the shared keys, otherwise, 
they abolish the keys and start the process again 
from (a.l). 

In (a. 6) the difference between h a and hb implies that 
Alice and Bob do not share the exactly same keys. This 
is due to imperfection in the transmission or to Eve who 
intervened between Alice and Bob. Figure 1 shows the 
sketch of the experimental setup. 

Security.- For a perfect channel with single-photon 
keys, it is obvious that the eavesdropper cannot obtain 
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FIG. 1: Schematic diagram for the experimental setup. PR: 
Polarization Rotator; Ml, M2, M3, and M4: Mirrors; PDO 
and PD1: Photodetectors; PBS: Polarization Beam Splitter. 



much information by the intercept-and-resend attack as 
all three signal transmissions are of random polarizations. 
In our protocol, the random polarizations lie on the equa- 
tor of the Poincare sphere. The optimum estimation of a 
single-photon qubit in this case gives the fidelity 3/4 [l^ 
where the fidelity is one when the estimation is perfect or 
zero when the original state is orthogonal to the estima- 
tion. (In this Letter, we will consider the fidelity as the 
amount of information as in 

HHlli-) The interference 
can be easily noticed during the protocol (a. 6). Another 
possible attack is that Eve sends a spy pulse to Bob to 
find the random value 4> of Bob's operation. In order to 
do so, Eve should perform quantum tomography which 
requires an intense spy pulse. This should be able to be 
noticed easily. 

A single-photon QKD is not very economical not only 
because it is difficult to have a reliable single-photon 
source but also because photons can easily be lost due 
to imperfect channel efficiency. In particular, our pro- 
tocol has to travel three times between Alice and Bob 
so the loss may not be negligible. If a key is en- 
coded on a coherent-state pulse, the protocol can be 
vulnerable against the PNS attack. We thus exam- 
ine the security of our protocol against the PNS at- 
tack. A coherent-state pulse of its amplitude a (a £ H) 
is \a) — exp(— a 2 /2) X^^Lo ot n /\fn\\n) where |n) is the 
photon-number eigenstate. The mean photon number of 
the pulse is a 2 . Let us assume that the channel efficiency 
is r\ for one trip either from Alice to Bob or vice versa. 
The amplitude then reduces to rja from a. For conve- 
nience, 77 is taken to be real throughout the Letter. 

(Attack 1) As usual, we assume that Eve is so superior 
that her action is limited only by the laws of physics. 
She replaces the lossy channel by a perfect one and puts 
a beam splitter of the amplitude transmittivity r\ in the 
middle. The reflected field, which is a coherent state with 
its amplitude y/l — r/ 2 a, will be the source of informa- 
tion to Eve. In the protocol (a.l)-(a.5), the information 
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transmitted between Alice and Bob is of random polar- 
ization. From earlier works [l^, > we know that the 
maximum information one can obtain from a set of iden- 
tically prepared qubits whose polarization is completely 
unknown, depends on the number of qubits. Massar and 
Popescu |l9| found that the maximum amount of infor- 
mation which can be extracted from n identical spin-1/2 
particles is I(n) = (n + i)/{n + 2) when the particle lies 
at any point on the Poincare sphere. However, in our 
protocol, the photon polarizations lie on the equator of 
the Poincare sphere. In this case, Derka et at found 
that the optimum state estimation from n qubits gives 
the maximal mean fidelity 
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Let us first consider the maximum information Eve can 
get from the Alice^Bob channel in (a. 2). The probabil- 
ity P(n) of there being n photons in the coherent state 



rfa) 



is 



P.. 2 (n) = exp[-(l - ryV] [(1 . 



(2) 



Then the maximum amount of information Eve can get 
from the channel in (a. 2) is I a .2 = Y^=oPa.2{n)I{n). 
Eve has to take the PNS attack on the Bob— ► Alice chan- 
nel in (a. 3). As Bob has received the attenuated coherent 
state \rja), the amplitude of Eve's state is 7/(1 — rf Y^a. 
Similarly, the amplitude of Eve's state from tapping the 
Alice— >Bob channel in (a. 4) is rj 2 (l — ^ 2 ) 1 / 2 a. We calcu- 
late the maximum information J .3 and I a A- 

It is obvious [TH ] that the overall maximum information 
Eve can obtain is bounded by Ie = mLa(/ .2j -fa. 3) -^0.4)) 
which is plotted in Figs. 2 (solid lines) for various cases. 
For the realistic channel efficiency rj 2 = 0.5, the pulse 
of its amplitude a — 2.83 gives the average number of 
photons delivered to Bob about 1 after the process (a. 4). 
Figure 2 (a) shows that Eve's information in this case is 
bounded by about 0.7, while Alice and Bob always share 
the perfect information, i.e. the amount of information 
Iab between Alice and Bob is unity. Even though the 
probability of not having a photon is about 36.8% for 
a coherent-state pulse of its amplitude 1, as Alice and 
Bob discard the empty qubits, this should not lower the 
shared information. 

As a gets larger, we see that Eve's information be- 
comes unity in Fig. 2 (a). It is known that the rate of 
the secure key depends on the difference between Iab 
and Ie |20j. As a gets larger the rate will decrease. An- 
other interesting result seen in Fig. 2 (b) is that the max- 
imum bound for Eve's information does not necessarily 
grow as the channel becomes less efficient. Eve's infor- 
mation is bounded by the minimum of I a .2, Ia.3 and I a A 
which depend on the intensities of the qubit pulses dur- 
ing (a. 2), (a.3) and (a. 4), respectively. The intensity of 
the qubit pulse decreases as the number of its laps be- 
tween Alice and Bob increases. Ie is thus determined 
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FIG. 2: Maximum bound for Eve's information Ie is plotted 
against the initial amplitude a of the coherent-state pulse (a). 
Various curves are according to various channel efficiencies if 
as shown along the curves. In (b), Ie is plotted against the 
channel efficiency for three values of the initial amplitude a 
of the pulse. Solid curves are for Attack 1 and dotted curves 
for Attack 2. 



by I a A, proportional to the intensity of the qubit pulse, 
(1 — rj 2 )rfa 2 which maximizes at rj 2 = 2/3. When rj is 
small, as many photons are taken out during the initial 
transmission (a. 2), there remain too few photons to give 
lesser information in the later stage (a. 4). The informa- 
tion bound grows as rj grows but it eventually converges 
to Ie = 0.5 as rj 2 — > 1, shown in Fig. 2 (b). 

(Attack 2) If Alice and Bob do not randomly check the 
intensities at (a. 2) and (a.3), Eve only needs to make sure 
that the final amplitude, which Bob measures at (a.4), 
is rj 3 a. Then Ie is optimized when Eve extracts the 
same amount of information at each step of (a. 2), (a.3) 
and (a.4) keeping the final amplitude which is measured 
by Bob. In this case, Ie = I a .2 = Ig.3 = IaA and the 
amplitude of Eve's field is always y/Jl — r] e )/3 a. The 



amount of information is plotted in dotted lines (Fig. 2), 
where Ie monotonously grows as the channel becomes 
less efficient. For rj 2 = 0.5 and a = 2.83, I E ~ 0.83. 

(Impersonation Attack) Our protocol is vulnerable to 
an impersonation attack pl| where Evel impersonates 
Bob to Alice reading the key then sends it to Eve2. Re- 
ceiving the key, Eve2, who impersonates Alice to Bob, 
relays it to Bob without being noticed. We suggest to 
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slightly modify the protocol against this impersonation 
attack on the quantum channel, leaving basic philoso- 
phy of the protocol the same. Let us consider that Al- 
ice, instead of one pulse, sends two coherent-state pulses 
of the polarization angles 8\ and 82 ■ Bob rotates the 
polarization angles of the pulses by <fr + ( — 1) s tt/4 and 
4>+ (— l) s ® 1 7r/4, where the shuffling parameter s £ {0, 1} 
is randomly chosen by Bob and © denotes addition mod- 
ulo 2. Receiving the two pulses of their polarization 
angles 6» x + <j> + (-1) s tt/4 and 8 2 + <f> + (-1) s ® 1 tt/4, 
Alice rotates the polarization angles of the pulses by 
—81 + (— l) fc 7r/4 and —82 + (— l) fc 7r/4 respectively, where 
k e {0, 1} is the key value. She blocks one of the qubits 
and sends the other to Bob. It is important for Alice 
to delay the first pulse if it is let go, so that imperson- 
ating Evel does not recognize which pulse was blocked. 
Here, we introduce the blocking factor b to denote the 
case to let the b qubit go. The qubit in state \ip sk (b)} 
will travel to Bob, where |V> 00 (1)) = |^ 10 (2)) = |<^> + tt/2) 
and |^ 00 (2)) = |V> 10 (1)) = \(f>) for the key value k = 0, 
and |V> 01 (1)> = |^ n (2)> - \<f>) and |^ 01 (2)) = |V> n (l)> = 
|0— 7r/2) for k = 1. Upon receiving the qubit, Bob applies 

U y {—<j)) on it and measures the polarization. Depending 
on blocking as well as shuffling, he obtains the measure- 
ment outcome l sk (b) = s © k © b as the pre-key bit value. 
Alice publicly announces her blocking factor b for Bob to 
be able to decode the original key bit k by k — s © b © I. 
Alice and Bob verify the shared key by exchanging the 
hash value of the key. The shuffling parameter s is Bob's 



private information, which introduces additional random 
flipping of the key. Eve's impersonation without know- 
ing s value should induce errors in shared key with the 
probability of 0.5 and be noticed during the comparison 
of the hash value. In implementation, two pulses of a 
key could be comfortably manipulated for their separa- 
tion of about lOOnscc while the distance between two 
keys may be in the order of 100/1 sec. We have restricted 
our discussion only to the impersonation attack on the 
quantum channel. If such an attack is considered for the 
public channel as well, an authentication procedure has 
to be introduced. 

Remarks.- We have considered a new QKD proto- 
col which does not require reconciliation of polarization 
bases. All the operations are random and independent, 
which makes the protocol robust against eavesdropping 
attacks. The protocol is secure even for a not-so-weak 
coherent-state pulse, which may overlook a problem, a 
key has to travel three times between Alice and Bob. We 
have assumed for Alice and Bob to abolish the keys if 
hash comparison was negative and also ignored possible 
noise. The error rate due to noise is currently about a few 
percentage, under which Eve's information is not more 
than the information shared by Alice and Bob. It should 
be possible to estimate a security threshold and proceed 
with standard classical protocols to distill a shorter secret 
key via privacy amplification. 
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